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(54) Privacy -en ha need database 

(57) A method, apparatus, article of manufacture, 
and a memory structure for storing and retrieving data 
in a database implementing privacy control is disclosed. 

The apparatus comprises a data storage device, 
storing a database table comprising a plurality of data 
columns an at least one data control column for storing 
data control information reflecting consumer privacy pa- 
rameters, wherein the database table comprises an 
identity segment for storing identity information and a 
personal information segment for storing personal infor- 
mation, and a processor, operatively coupled to the data 
storage device, the processor implementing a dataview 
suite for presenting data retrieved from the database ta- 
ble in accordance with the data control information. 

The method comprises the steps of extending a da- 
tabase table comprising a plurality of data columns to 
include at least one data control column for storing data 
control information reflecting at least one consumer pri- 
vacy parameter, string identity information about the 
consumer in an identity segment of the database table 
and personal information about the consumer in a per- 
sonal information segment of the database table, receiv- 
ing a data request from a requesting entity having data 
privileges, and providing the data to the requesting en- 
tity via a dataview selected in accordance with the re- 
questing entity's data privileges, the dataview masking 



the data in accordance with the consumer privacy pa- 
rameter. The program storage device comprises a me- 
dium for storing instructions performing the method 
steps outlined above. 
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Description 

[0001] The present invention relates to systems and 
methods of data warehousing and analysis, and in par- 
ticular to a system and method for enforcing privacy con- 
straints on a database management system. 
[0002] Database management systems are used to 
collect, store, disseminate, and analyze data. These 
large-scale integrated database management systems 
provide an efficient, consistent, and secure data ware- 
housing capability for storing, retrieving, and analyzing 
vast amounts of data. This ability to collect, analyze, and 
manage massive amounts of information has become a 
virtual necessity in business today. 
[0003] The information stored by these data ware- 
houses can come from a variety of sources. One impor- 
tant data warehousing application involves the collec- 
tion and analysis of information collected in the course 
of commercial transactions between businesses and 
consumers. For example, when an individual uses a 
credit card to purchase an item at a retail store, the iden- 
tity of the customer, the item purchased, the purchase 
amount and other related information are collected. Tra- 
ditionally, this information is used by the retailer to de- 
termine if the transaction should be completed, and to 
control product inventory. Such data can also be used 
to determine temporal and geographical purchasing 
trends. 

[0004] Similar uses of personal data occur in other in- 
• dustries. For example, in banking, the buying patterns 
of consumers can be divined by analyzing their credit 
card transaction profile or their checking/savings ac- 
count activity, and consumers with certain profiles can 
be identified as potential customers for new services, 
such as mortgages or individual retirement accounts. 
Further, in the telecommunications industry, consumer 
telephone calling patterns can be analyzed from call-de- 
tail records, and individuals with certain profiles can be 
identified for selling additional services, such as a sec- 
ond phone line or call waiting. 

[0005] Additionally, data warehouse owners typically 
purchase data from third parties, to enrich transactional 
data. This enrichment process adds demographic data 
such as household membership, income, employer, and 
other personal data. 

[0006] The data collected during such transactions is 
also useful in other applications. For example, informa- 
tion regarding a particular transaction can be correlated 
to personal information about the consumer (age, occu- 
pation, residential area, income, etc.) to generate sta- 
tistical information. In some cases, this personal infor- 
mation can be broadly classified into two groups: infor- 
mation that reveals the identity of the consumer, and in- 
formation that does not. Information that does not reveal 
the identity of the consumer is useful because it can be 
used to generate information about the purchasing pro- 
clivities of consumers with similar persona! characteris- 
tics. Personal information that reveals the identity of the 



consumer can be used for a more focused and person- 
alized marketing approach in which the purchasing hab- 
its of each individual consumer are analyzed to identify 
candidates for additional or tailored marketing. 
5 [0007] Another example of an increase in the collec- 
tion of personal data is evidenced by the recent prolif- 
eration of "membership" or "loyalty" cards. These cards 
provide the consumer with reduced prices for certain 
products, but each time the consumer uses the card with 

10 the purchase, information about the consumer's buying 
habits is collected. The same information can be ob- 
tained in an on-line environment, or purchases with 
smart cards, telephone cards, and debit or credit cards. 
[0008] Unfortunately, while the collection and analysis 

is of such data can be of great public benefit, it can also 
be the subject of considerable abuse. In the case of loy- 
alty programs, the potential for such abuse can prevent 
many otherwise cooperative consumers from signing up 
for membership awards or other programs. It can also 

20 discourage the use of emerging technology, such as 
cash cards, and foster continuation of more conserva- 
tive payment methods such as cash and checks. In fact, 
public concern over privacy is believed to be a factor 
holding back the anticipated explosive growth in web 

25 commerce. 

[0009] For a!! of these reasons, as well as regulatory 
constrains, when personal information is stored in data 
warehouses, it is incumbent on those that control this 
data to protect the data from such abuse. As more and 

30 more data is collected in this, the computer age, the 
rights of individuals regarding the use of data pertaining 
to them have become of greater importance. 
[0010] It is an object of the present invention to pro- 
vide a system and method which provides all the advan- 

35 tages of a complete data warehousing system, while ad- 
dressing the privacy concerns of the consumer. 
[0011] From a first aspect, the present invention re- 
sides in a data warehousing, management, and privacy 
control system, chacterized by: 

40 

a data storage device, storing a database table 
comprising a plurality of data columns and at least 
one data control column, the data control column 
for storing data control information reflecting con- 
45 sumer privacy parameters; 

wherein the database table comprises an identity 
segment for storing identity information and a per- 
sonal information segment for storing personal in- 
formation; and 

50 . a processor, operatively coupled to the data storage 
device, the processor implementing a dataview 
suite for presenting data retrieved from the data- 
base table in accordance with the data control in- 
formation. 

55 

[0012] From a second aspect, the present invention 
resides in a method of retrieving data in a database im- 
plementing privacy control, characterized by the steps 
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of: 

extending a database table comprising a plurality of 
data columns to include at least one data control 
column for storing data control information reflect- 
ing at least one consumer privacy parameter; 
storing identity information about the consumer in 
an identity segment of the database table and per- 
sonal information about the consumer in a personal 
information segment of the database table; 
receiving a data request from a requesting entity 
having data privileges; and 

providing the data to the requesting entity via a da- 
taview selected in accordance with the requesting 
entity's data privileges, the dataview masking the 
data in accordance with the consumer privacy pa- 
rameter. 

[0013] From a third aspect, the present invention re- 
sides in a program storage device, readable by a com- 
puter, embodying one or more instructions executable 
by the computer to perform method steps for retrieving 
data in a database implementing privacy control, the 
method steps characterized by the steps of: 

extending a database table comprising a plurality of 
data columns to include at least one data control 
column for storing data control information reflect- 
ing at least one consumer privacy parameter; 
storing identity information about the consumer in 
an identity segment of the database table and per- 
sonal information about the consumer in a personal 
information segment of the database table; 
receiving a data request from a requesting entity 
having data privileges; and 

providing the data to the requesting entity via a da- 
taview selected in accordance with the requesting 
entity's data privileges, the dataview masking the 
data in accordance with the consumer privacy pa- 
rameter. 

[001 4] One embodiment of the present invention also 
utilizes a privacy metadata system that administers and 
records all data, users, and usage of data that is regis- 
tered as containing privacy elements.. This metadata 
service provides for locating, consolidating, managing, 
and navigating warehouse metadata. It also allows for 
setting aside an area from which all system aspects of 
privacy are registered, administered, and logged in an 
auditable format. 

[001 5] Embodiments of the present invention will now 
be described with reference to the accompanying draw- 
ings in which: 

[001 6] Referring now to the drawings in which like ref- 
erence numbers represent corresponding parts 
throughout: 

FIG. 1 is a system block diagram of an exemplary 



embodiment of a data warehousing system; 
FIG. 2 is a block diagram presenting an illustrative 
example of the structure of customer tables stored 
in the privacy-extended customer tables and the da- 
tabase views; 

FIG. 3 is a block diagram presenting another illus- 
trative example of the customer tables; and 
FIG. 4 is a block diagram presenting an overview of 
the operation of a privacy auditing features of the 
present invention; 

FIG. 5 is a flow chart illustrating exemplary opera- 
tions used to practice one embodiment of the 
present invention; 

FIG. 6 is a flow chart illustrating exemplary opera- 
tions used to provide data to a requesting user via 
a dataview; 

FIG. 7 is a diagram showing an alternative embod- 
iment of the privacy data warehouse with a sepa- 
rately deployed trusted database; 
FIG. 8 is a diagram showing an alternative embod- 
iment of the privacy data warehouse with a privacy 
metadata services interface interposed to manage 
and log all data access; and 
FIG. 9 is a diagram showing an exemplary imple- 
mentation of data views with an interposed privacy 
metadata services interface. 

Overview 

[0017] FIG. 1 is a system block diagram presenting 
an overview of a data warehousing system 100. The 
system comprises secure data warehouse 102 having 
a database management system 104 storing one or 
more extended databases 106 therein. 
[0018] One important capability of a database man- 
agement system is the ability to define a virtual table 
and save that definition in the database as metadata 
with a user-defined name. The object formed by this op- 
eration is known as a View or a database view (the par- 
ticular database views used in the present invention are 
hereinafter referred to as "dataviews"). As a virtual table, 
a dataview is not physically materialized anywhere in 
the database until it is needed. All accesses to data, 
(with the possible exception of data access for admin- 
istrative purposes) is accomplished through dataviews. 
To implement a variety of privacy rules, a suite of a plu- 
rality of dataviews is provided. Metadata about the pri- 
vacy dataviews (including the dataview name, names 
and data types of the dataview columns, and the method 
by which the rows are to be derived) is stored persist- 
ently in the databases metadata, but the actual data pre- 
sented by the view is not physically stored anywhere in 
association with the derived table. Instead, the data it- 
self is stored in a persistent base table, and the view's 
rows are derived from that base table. Although the da- 
taview is a virtual table, operations can be performed 
against dataviews just as they can be performed against 
the base tables. 
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[0019] The secure data warehouse 102 further com- 
prises a suite of privacy metadata dataviews 108 
through which all data in the extended database 1 06 are 
presented. Data within the extended database 106 can 
be viewed, processed, or altered only through the dat- 
aviews in this suite. The schema and logical mode! of 
the extended database and dataviews is set forth more 
fully herein with respect to FIG. 2. 
[0020] Virtually all access to the data stored in the ex- 
tended database 106 is provided solely through the da- 
taview suite 10B. Thus, business applications 110 and 
third party applications 112 have access only to such 
data as permitted by the database view provided. In one 
embodiment, provision is made to permit override ofthe 
customer's privacy preferences. However, in such cir- 
cumstances, data describing the nature of the override 
is written to the database for retrieval by the audit mod- 
ule 118, so that the override cannot occur surreptitiously. 
Further, overrides may be monitored by the privacy 
metadata monitoring extensions 114 to provide an alert 
to the consumer when such overrides occur. 
[0021] The limiting access to the data stored in the 
extended database 106 to access provided by the pri- 
vacy dataview suite 108 for purposes of (1 ) implement- 
ing privacy rules provides the capability to make the per- 
sonal data anonymous (through the anonymizing view 
described herein), (2) to restrict access to opted-out col- 
umns, which can apply to all personal data, separate 
categories of personal data, or individual data columns, 
and (3) to exclude entire rows (customer records) for 
opt-out purposes based on customer opt-outs (exclud- 
ing a row if any of the applicable opt-out flags has been 
set for the customer in question, thus preventing any di- 
rect marketing or disclosure to third parties). 
[0022] Using a client interface module 122 that com- 
municates with the dataviews 108, a client 124 can ac- 
cess, control, and manage the data collected from the 
client 124. This data control and management can be 
accomplished using a wide variety of communication 
media 140, including the Internet 126 (via a suitable 
browser plug-in 128, a modem 130, voice telephone 
communications 132, or a kiosk 134 or other device at 
the point of sale. To facilitate such communications, the 
kiosk or other device at the point of sale, can issue a 
smartcard 1 36 or a loyalty card 1 38. The kiosk/pos de- 
vice 134 can accept consumer input regarding privacy 
preferences, and issue a smartcard 136 or loyalty card 
138 storing information regarding these preferences. 
Similarly, the using the kiosk/pos device 134 and the 
smartcard 136 or loyalty card 138, the consumer may 
update or change preferences as desired. In cases 
where the loyalty card 1 38 is a simple read only device 
(such as a bar-coded attachment to a key ring), the ki- 
osk/pos device 1 34 can issue replacement cards with 
the updated information as necessary. Transactions us- 
ing the loyalty card 1 38 or smartcard 1 36 are selectably 
encrypted and anonymous. Either card may interact di- 
rectly with the server or through a plug-in to implement 



the security rules selected. 

[0023] Through this interface, the consumer can 
specify data sharing and retention preferences. These 
preferences include data retention preferences, and da- 

5 ta sharing preferences. These allow the consumer to 
specify when and under what circumstances personal 
information may be retained or shared with or sold to 
others. For example, the consumer may permit such da- 
ta retention as a part of a loyalty card program, or if the 

io use of the data is limited to particular uses. Further, the 
consumer may specify under what circumstances the 
data may be sold outright, used for statistical analysis 
purposes, or used for third party elective marketing pro- 
grams. 

is [0024] The data warehousing system 100 also per- 
mits anonymous communication between the client and 
the secure data warehouse 102 via a privacy service 
150. When the user desires an anonymous transaction, 
the transaction is routed to the privacy service 150. The 

20 privacy service 1 50 accesses a privacy rule database 
1 52 and other security information 1 54 and uses the pri- 
vacy rule and security information to remove all infor- 
mation from which the identity of the consumer can be 
determined. The cleansed transaction information is 

25 then forwarded to the anonymity protection interface 
module 160 in the secure data warehouse. 
Communications with the secure data warehouse 102 
use a proxy user identification, which is created by the 
privacy service 150 from the customer's username or 

30 other identifying information. If the customer does not 
require an anonymous transaction, the transaction is 
provided directly to the retailer who may store the trans- 
action information in the extended database. 
[0025] Since it alone provides access to data within 

35 the extended database, the dataview suite 1 08 also pro- 
vides a convenient and comprehensive means for au- 
diting the security of the secure data warehouse 1 02. 
[0026] The secure data warehouse 1 02 also compris- 
es metadata monitoring extension 114. This extension 

40 114 allows the customer to generate a rule to monitor 
the use of personal data, and to transmit an alert 11 6 or 
callback if a metadata definition change occurs. The 
consumer can control the metadata monitoring exten- 
sion 1 1 4 to trigger an alert when the customer's personal 

45 information is read from the extended database 1 06, is 
written to the extended database 106, if the opt-out de- 
limiters stored in the extended database are changed, 
or when a table or a dataview is accessed. Alternatively, 
triggered alerts can be logged for later access by the 

so consumer. 

[0027] The metadata monitoring extension 114 also 
records data source information, so customers can de- 
termine the source of the data stored in the secure data 
warehouse 1 02. The data source may be the customer, 

55 or may be a third party intermediary source. This feature 
is particularly useful when the consumer would like to 
not only correct erroneous information, but to determine 
the source of the erroneous information so the error will 
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[0019] The secure data warehouse 102 further com- 
prises a suite of privacy metadata dataviews 108 
through which all data in the extended database 1 06 are 
presented. Data within the extended database 106 can 
be viewed, processed, or altered only through the dat- 
aviews in this suite. The schema and logical model of 
the extended database and dataviews is set forth more 
fully herein with respect to FIG. 2. 
[0020] Virtually ail access to the data stored in the ex- 
tended database 106 is provided solely through the da- 
taview suite 108. Thus, business applications 110 and 
third party applications 112 have access only to such 
data as permitted by the database view provided. In one 
embodiment, provision is made to permit override ofthe 
customer's privacy preferences. However, in such cir- 
cumstances, data describing the nature of the override 
is written to the database for retrieval by the audit mod- 
ule 1 1 8, so that the override cannot occur surreptitiously. 
Further, overrides may be monitored by the privacy 
metadata monitoring extensions 114 to provide an alert 
to the consumer when such overrides occur. 
[0021] The limiting access to the data stored in the 
extended database 1 06 to access provided by the pri- 
vacy dataview suite 108 for purposes of (1 ) implement- 
ing privacy rules provides the capability to make the per- 
sonal data anonymous (through the anonymizing view 
described herein), (2) to restrict access to opted-out col- 
umns, which can apply to all personal data, separate 
categories of personal data, or individual data columns, 
and (3) to exclude entire rows (customer records) for 
opt-out purposes based on customer opt-outs (exclud- 
ing a row if any of the applicable opt-out flags has been 
set for the customer in question, thus preventing any di- 
rect marketing or disclosure to third parties). 
[0022] Using a client interface module 122 that com- 
municates with the dataviews 108, a client 124 can ac- 
cess, control, and manage the data collected from the 
client 124. This data control and management can be 
accomplished using a wide variety of communication 
media 140, including the Internet 126 (via a suitable 
browser plug-in 128, a modem 130, voice telephone 
communications 1 32, or a kiosk 1 34 or other device at 
the point of sale. To facilitate such communications, the 
kiosk or other device at the point of sale, can issue a 
smartcard 136 or a loyalty card 138. The kiosk/pos de- 
vice 1 34 can accept consumer input regarding privacy 
preferences, and issue a smartcard 1 36 or loyalty card 
138 storing information regarding these preferences. 
Similarly, the using the kiosk/pos device 1 34 and the 
smartcard 136 or loyalty card 138, the consumer may 
update or change preferences as desired. In cases 
where the loyalty card 138 is a simple read only device 
(such as a bar-coded attachment to a key ring), the ki- 
osk/pos device 134 can issue replacement cards with 
the updated information as necessary. Transactions us- 
ing the loyalty card 1 38 or smartcard 1 36 are selectably 
encrypted and anonymous. Either card may interact di- 
rectly with the server or through a plug-in to implement 



the security rules selected. 

[0023] Through this interface, the consumer can 
specify data sharing and retention preferences. These 
preferences include data retention preferences, and da- 

5 ta sharing preferences. These allow the consumer to 
specify when and under what circumstances personal 
information may be retained or shared with or sold to 
others. For example, the consumer may permit such da- 
ta retention as a part of a loyalty card program, or if the 

to use of the data is limited to particular uses. Further, the 
consumer may specify under what circumstances the 
data may be sold outright, used for statistical analysis 
purposes, or used for third party elective marketing pro- 
grams. 

is [0024] The data warehousing system 100 also per- 
mits anonymous communication between the client and 
the secure data warehouse 102 via a privacy service 
150. When the user desires an anonymous transaction, 
the transaction is routed to the privacy service 1 50. The 

20 privacy service 1 50 accesses a privacy rule database 
1 52 and other security information 1 54 and uses the pri- 
vacy rule and security information to remove all infor- 
mation from which the identity of the consumer can be 
determined. The cleansed transaction information is 

25 then forwarded to the anonymity protection interface 
module 160 in the secure data warehouse. 
Communications with the secure data warehouse 102 
use a proxy user identification, which is created by the 
privacy service 1 50 from the customer's username or 

30 other identifying information. If the customer does not 
require an anonymous transaction, the transaction is 
provided directly to the retailer who may store the trans- 
action information in the extended database. 
[0025] Since it alone provides access to data within 

35 the extended database, the dataview suite 1 08 also pro- 
vides a convenient and comprehensive means for au- 
diting the security of the secure data warehouse 102. 
[0026] The secure data warehouse 1 02 also compris- 
es metadata monitoring extension 114. This extension 

40 114 allows the customer to generate a rule to monitor 
the use of personal data, and to transmit an alert 1 1 6 or 
callback if a metadata definition change occurs. The 
consumer can control the metadata monitoring exten- 
sion 1 1 4 to trigger an alert when the customer's personal 

45 information is read from the extended database 106, is 
written to the extended database 106, if the opt-out de- 
limiters stored in the extended database are changed, 
or when a table or a dataview is accessed. Alternatively, 
triggered alerts can be logged for later access by the 

50 consumer. 

[0027] The metadata monitoring extension 114 also 
records data source information, so customers can de- 
termine the source of the data stored in the secure data 
warehouse 1 02. The data source may be the customer, 

55 or may be a third party intermediary source. This feature 
is particularly useful when the consumer would like to 
not only correct erroneous information, but to determine 
the source of the erroneous information so the error will 
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[0050] A further class of privileged applications 
("Class C") includes applications that use personal in- 
formation to take some form of action, such as market- 
ing applications (e.g. to create mail or phone solicita- 
tions). These marketing applications are subject to the 
M Opt-in/Opt-out" controls set for each customer, and ac- 
cess customer information through a special dataview 
that removes or masks all records associated with an 
activated "Opt-out" indicator. Thus, for example, any 
customer who has opted out from receiving marketing 
solicitations would be omitted from any contact list cre- 
ated by the marketing application. 
[0051] The "Opt out" indicator is a new column added 
to customer tables, or joined to existing customer tables 
via dataviews (which is an additional change to the log- 
ical data model). In one embodiment, the value of this 
column for each customer row is initially be set to "Opt 
Out" (or "Opt in" if permitted by law), and can be modified 
via the client interface module 122, which handles cus- 
tomer requests regarding privacy controls. 
[0052] Multiple "Opt Out" indicators may be set up for 
each customer record. At a minimum, five opt-outs are 
implemented: for "direct marketing", "third-party disclo- 
sure of identifiable data", "third-party disclosure of anon- 
ymous data", automated decisions", and "use of sensi- 
tive data". However, a scheme of more fine-grained opt- 
outs could be designed, based on more detailed cus- 
tomer preferences. For example, "direct marketing" 
could be broken out into separate opt-outs for contact 
by telephone, direct mail, and electronic mail, and a 
catchall for "other" action. This would yield eight sepa- 
rate opt-outs. 

[0053] Opt-out view 266 permits the use of informa- 
tion for purposes of making automated decisions with 
action applications 11 0D, such as those which imple- 
ment phone or mail solicitation. Views into this informa- 
tion are controlled by the flag in column 228. Alterna- 
tively, the value stored in column 228 may comprise a 
character with sufficient range to permit the single char- 
acter to not only define that solicitation is permitted, but 
to indicate what kind and scope of permitted solicitation. 
[0054] Applications or queries that disclose personal 
data to third parties (e.g. for marketing or analytic pur- 
poses) are subject to both the Class C ("Opt Out") and 
Class B ("anonymizing") views. If the customer has opt- 
ed out of third-party use of their data, then the "Opt Out" 
dataview applies, and their row (record) is excluded 
from the output. Other customers may have opted in to 
third-party disclosure of their data provided it is anony- 
mous; in these cases, the customer data is made anon- 
ymous via the "anonymizing" dataview before being out- 
put. In al! other cases, the customer has opted in to dis- 
closure of their personal data in identifiable form; here 
the personal data is output along with identifying data 
columns. 

[0055] A more fine-grained approach to opting in or 
out may be implemented. Specific opt-ins or opt-outs 
could be agreed with each customer for a variety of per- 



missions and protections. For example, disclosure to 
third parties could be based on specific data fields, re- 
lating both to personal characteristics and to personal 
identifications: a customer might agree to their address 
5 and interest profile being provided, but not their financial 
information and their phone number. 
[0056] Opt-in/opt-out could also be further extended 
to gain a more detailed profile of each customer and 
their interests. For example, each class of opt-out (e.g. 
io the eight opt-outs identified in section 4) could be ap- 
plied separately to each category of personal data (e.g. 
demographic data; preference data), or down to each 
specific data item of personal data (e.g. age, gender; 
hiking interest, shoe brand preference). In this manner, 

is customers could opt out of certain actions relating to cer- 
tain interest areas, but could opt in to others (e.g. to re- 
ceive direct mail marketing for running shoes). 
[0057] FIG. 3 is a diagram showing an alternative log- 
ical model of the secure data warehouse 1 02 with more 

20 fine-grained opt-ins and opt-outs. In this embodiment, 
each class of privacy preference is applied separately 
to each category of data (e.g. demographics), or down 
to each specific data item of personal data (e.g. age, 
gender, hiking interest, or shoe brand preference). For 

25 example, consumer Bill K. Jones may elect to allow his 
name to be accessible for some purposes, but not oth- 
ers. These limitations can be selected by entering the 
proper combination of flags for the entries in columns 
302-310. Similarly, columns 312-320 can be used to 

30 specify the privacy preferences with regard to the stor- 
age and/or use of Mr. Jones' name. The preferences de- 
fined in columns 312-320 may be different or the same 
as those described in columns 302-31 0. The present in- 
vention also permits the expansion of the foregoing se- 

35 curity preference paradigm to a system of multiple fine- 
grain preferences, based upon more detailed customer 
preferences. For example, direct marketing could be 
broken into separate privacy preferences for contact by 
telephone, direct mail, electronic mail, and a catchall for 

40 "other" action. Further, the scope of the direct marketing 
could be specified so as to permit only a single contact. 
[0058] in an alternate embodiment, the security and 
privacy protection features of the extended database 
106 and dataview suite 108 are further enhanced with 

^5 the use of data encryption. This may be performed by 
encrypting the data in a given row with an encryption 
code, or by providing each data field with a unique en- 
cryption number. Alternatively, the data may be encrypt- 
ed at different hierarchical levels of security so as to en- 

50 force the privacy preferences of the consumer. 

[0059] In one embodiment, encryption techniques are 
used on any identifying field, and selectively applicable 
on a row basis. This technique allows customers to re- 
main anonymous (e.g. for data mining purposes), but 

55 could allow for positive identification for those applica- 
tions or data requestors that have data encryption rights. 
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Operation of Dataviews 

[0060] The dataviews in the dataview suite 1 08 of the 
present invention generate SQL statements that selec- 
tively pull appropriate columns and rows from the base 
tables into the result table. Compared to conventional 
techniques (which materialize entire tables before nar- 
rowing the data down to a view subset), this technique 
reduces the processing required to present the data to 
the data requestor. 

Audit Interface 

[0061] The owner of the database or an independent 
auditing service such as BBB ONLINE, TRUSTE, 
PRICE-WATERHOUSE, TRW, DMA, or CPA WEBT- 
RUST, or NCR may inexpensively run periodic or com- 
plaint-driven reviews of the installation. These reviews 
examine the logical data model and database schema, 
applications and users that exist for the system, and a 
TE RAD ATA access log. 

[0062] The logical data model review examines the 
dataview structure to confirm the existence of "Stand- 
ard" Views for Normal users (restricting access to per- 
sonal information), "Anonymizing" Views for analytic ap- 
plications; and "Opt Out" Views for other applications. 
[0063] The applications and user review examines 
applications and users and the access rights that have 
been granted to them. This review confirms that "Class 
A M privileged applications/users have access rights to 
the "Persona Data" dataview, that "Class B" analytic ap- 
plications/users have access rights to "anonymizing" 
dataviews, that "Class C" action-taking applications/us- 
ers have access rights to "Opt-out" views, that applica- 
tions that create output tables or files of personal data 
have access rights to the "Opt Out" and "Anonymizing" 
Views, and that other applications use the "Standard" 
View. 

[0064] Finally, the TERADATA access log or similar 
log from another database management system is re- 
viewed to assure that the access activity that has oc- 
curred complies with the privacy parameters set forth by 
the data source. 

[0065] FIG. 4 is a diagram presenting an overview of 
the operation of a privacy auditing features of the 
present invention. Whenever a data requesting entity 
desires access to data in the extended database 106, a 
request is made to the database management system 
interface 109 which controls access to the data within 
the database tables in accordance with privacy param- 
eters. Using a dataview provided from the dataview 
suite 1 08 to the requesting entity in accordance with the 
requesting entity's status as described herein, extended 
database 1 06 table is accessed, and the data is provid- 
ed. At the same time, the database access (or attempted 
access, if the access is unsuccessful) is logged in an 
access log 402. Access log 402 includes information re- 
garding the type of access or attempt, the text (SQL) of 



the request resulting in the access, the frequency of ac- 
cess, the action requested, the name or identification of 
the requesting entity or application, and the referenced 
objects (tables, dataviews, and/or macros). The access 

5 log 402 permits all accesses to the dataviews in the da- 
taview suite 108, macros in the macro suite 111, or to 
base tables in the extended database 106 can be audit- 
ed. All activities granting or revoking access privileges 
can be audited as well. This is made possible because 

to the access log 402 contents and the table/dataview/ 
macro definitions allow a determination of whether the 
privacy rules have been enforced or broken. 
[0066] Privacy audit module 118 is provided to per- 
form a privacy analysis of the data in the access log 402 

is to validate enforcement of the privacy parameters. The 
privacy audit module 1 1 8 traces all events related to pri- 
vacy, summarizes activity relating to the access to per- 
sonal data, and flags any suspected breaches of privacy 
rules. Privacy test suite 404 comprises programs and 

20 other procedures that attempt to "break" the privacy 
rules, and then examine the access log 402 to determine 
if privacy rules were enforced or breached. The privacy 
audit module 118 can be tailored for use by third party 
auditors who conduct an independent assessment of 

25 the enforcement of customer privacy preferences, or by 
for use by the data warehouse manager. 

Metadata Services 

30 [0067] Metadata services include a privacy metadata 
subsystem (PMDS) extension 114. The PMDS exten- 
sion 1 1 4 stores and tracks a number of parameters, and 
uses these parameters to track activity relating to priva- 
cy. Tracked parameters include: (1 ) data descriptions of 
35 all data elements currently in the system (including da- 
tabases, users, tables, views and macros); (2) data de- 
scriptions of internal elements that were source to the 
system; (3) data descriptions of external elements that 
were source to the system; (4) data descriptions of in- 
40 ternal elements that were target of the system; (5) data 
descriptions of data elements that were exported from 
the system; (6) profiles of all users, groups and applica- 
tions and their access rights to the data; (7) logging of 
events relating to data access/update, creation of ta- 
45 bles/views/macros, granting/revoking of privileges, 
changes in user profiles, and triggers. 
[0068] The PMDS extension 11 4 also stores and man- 
ages executable business rules that govern the data 
controller's adherence to privacy and the logging of 
50 events relating to manipulation of the TERADATA logs 
(e.g. BEGIN/END LOGGING) or similar logs in another 
DBMS. 

[0069] The PMDS extension 11 4 also provides a high- 
level GUI 406 to for the privacy administrator to review 
55 and manage privacy-related metadata. This will include 
a graphical representation of the databases and their 
table/view macro structure for all customer (consumer 
or data subject) information, and of the associated user/ 
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user group privileges. The GUI 406 also provides a pa- 
rameter-driven means of setting up privacy rules and 
generating consequent dataviews, macros, or access 
rights, based on definitions provided by the privacy ad- 
ministrator through the GUI 406. The GUI 406 also pro- 
vides a facility to guide an outside auditor through a re- 
view of the site's privacy implementation. 
[0070] The PMDS extension 114 also provides a re- 
porting facility, which analyzes the contents of the vari- 
ous database and PMDS logs to report on privacy-re- 
lated activity. The privacy administrator may review 
such privacy reports via an interactive interface or print- 
ed report. Independent auditors, in conjunction with the 
privacy administrator, may perform their audits with the 
assistance of such reports. 

[0071] The PMDS extension 114 also provides a sep- 
arate GUI application/utility to support consumers in ac- 
cess, review and correction of their personal data and 
related privacy rules, and may also provide additional 
logging facilities to provide more details pertaining to pri- 
vacy related events. 

Macros 

[0072] Either alone or in combination with the data- 
views described herein, macros 111 or stored proce- 
dures in the database management system interface 
can be used to control and log accesses to data. Where 
macros are used to enforce data privacy parameters, 
users are not given "select" access rights. Instead, us- 
ers are given the right to access a macro in the macro 
suite 111 that performs the actual data access and logs 
the event in the access log 402 for future auditing pur- 
poses. Even so, the macros execute against the data 
through the same views that restrict access to opted-out 
rows and columns. Such macros are especially appro- 
priate for recording single-row accesses. 

Data Dictionary 

[0073] The data dictionary 408 stores information 
about the database schema, including all tables, data- 
views and macros in the system, ail macros in the sys- 
tem, all users and their privileges (including the privileg- 
es of users owning macros). 

Process 

[0074] FIG. 5 is a flow chart illustrating exemplary op- 
erations used to practice one embodiment of the present 
invention. The process begins by extending a database 
table to store and retrieve privacy preferences in one or 
more columns associated with the data in the table, as 
shown in block 502. The database table comprises a 
plurality of data columns including at least one data con- 
trol column storing data control information reflecting at 
least one consumer privacy parameter. This extended 
database 106 forms the logical model for storing data 



(personal and non-personal) and privacy parameters. 
Typically, the database is initially populated with privacy 
parameters selecting maximum privacy protection (opt- 
ing out of all data collection, analysis, and dissemina- 
5 tion). Where permitted, the database may be initially 
populated with privacy parameters selecting lower, even 
minimum privacy protection. 

[0075] Privacy parameters can then be accepted from 
the data source. In this context, the data source is typ- 

io ically the ultimate source of the data (that is, the con- 
sumer). However, in other embodiments, the data 
source may be an intermediary third party that that has 
been provided with the data with instructions on how the 
data may be used or shared, and which now must as- 

is surethatthedatais used or disseminated in accordance 
with these instructions. The accepting of the privacy pa- 
rameters can be accomplished via the client interface 
module 1 22, and a client communication device such as 
a computer running an internet browser 126 and a 

20 browser plug-in 1 28, a simple modem with a telephonic 
connection, by speaking to a service representative (ac- 
tual or computer-implemented) via a telephone, or 
through a kiosk, automatic teller machine (ATM), or oth- 
er device capable of accepting data source preferences 

2S and transmitting them to the client interface module 122. 
In any of these cases, the data source can view personal 
data and select privacy parameters consistent with the 
data source's requirements. Where access is provided 
through the Internet browser 126, modem, kiosk, or 

30 ATM, a privacy wizard can be implemented to guide the 
user through the process. The data source may decide 
to .opt-in some of the data collection, analysis, or dis- 
semination activities in exchange for a loyalty program. 
Once the data source's privacy parameters are ob- 

35 tained, they are stored in the columns associated with 
the data that is the subject of the privacy parameters. 
[0076] Identity information about the consumer (pro- 
vided by the consumer or collected as a part of transac- 
tions with the consumer) is stored in an identity segment 

^0 or portion 204 of the customer table 202, and personal 
information about the consumer is stored in a personal 
information segment or portion 206 of the database ta- 
ble 202. This is depicted in block 504. 
[0077] When a requesting entity requests access to 

45 the data, access is provided solely through the database 
management system interface 109 via the dataview 
suite 108, the macro suite 111, or both, thus assuring 
that the data is provided in accordance with the data 
source's personal privacy parameters. 

50 [0078] Next, a data request is received and accepted 
506 from a requesting entity having some privileges to 
access, use, or disseminate the data in the customer 
table 202. This is shown in block 506. The requesting 
entity's privileges may entitle it to data via a privileged 

55 view (giving it access to virtually all the data in the cus- 
tomer records) a restricted (opt-out) view. In contrast, 
the requesting entity's privileges may be so limited as 
to disallow viewing of any of the data. 
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[0079] Then , the data is provided to the requesting en- 
tity via a dataview that is selected in accordance with 
the requesting entity's data privileges, as depicted in 
block 508. The dataview masks the data in accordance 
with the privacy parameters supplied by the customer 
before presenting it to the requesting entity. 
[0080] The requesting entity can use the dataview to 
access the database to obtain the data. In one embod- 
iment, dataviews are be provided to the requesting en- 
tity in advance, and the requesting entity need only use 
them to access the data as desired. In another embod- 
iment, the dataviews are provided to requesting entity 
in response to a data request, and the dataview is tai- 
lored according to the data request, the privacy param- 
eters associated with the data, and the identity of the 
requesting entity. 

[0081] FIG. 6. is a flow chart showing additional detail 
regarding how the data is provided to the requesting en- 
tity via the dataview. First, the dataview is provided to 
the requesting entity in accordance with the requesting 
entity's data privileges. This is depicted in block 602. As 
described earlier, the dataview can be provided in ad- 
vance or in response to the data request. Next, data is 
retrieved according to the provided dataview. This is de- 
picted in block 604. The data is retrieved by translating 
the data request into a database query that selectively 
pulls columns and rows of data from a base table to a 
result table. Finally, the result table is provided to the 
requesting entity, as shown in block 606. 

Alternative Embodiments 

[0082] FIG. 7 is a block diagram showing an alterna- 
tive embodiment of the present invention. In this embod- 
iment, two databases are used. The first is an ano- 
nymized database 708, storing anonymized data and 
pseudonyms associated with the data in tables 706 
stored therein. The second database is a trusted data- 
base 704, storing tables 702 relating the pseudonyms 
with customer identification information. In this ap- 
proach, the customer's name is stored separately in 
trusted database 704. This database is used by th e data 
management system interface 109 to bind the identity 
of the customer to the pseudonym, and hence to the da- 
ta stored in the anonymized database 708. The trusted 
database also stores the individual's privacy parame- 
ters. 

[0083] Client pseudonyms can be provided to the cli- 
ent by the issuance of a loyalty card 1 38 or smart card 
136, by Internet 126 or on-line communications with a 
client computer, or by other means. The pseudonym can 
then be used as a proxy for consumer transactions (thus 
keeping any data thus collected anonymous). If desired, 
different pseudonyms can be used for different mer- 
chants, or different stores to prevent data mining to as- 
certain the identity of the customer. 
[0084] The customer may elect to allow the collection, 
use, or dissemination of non-anonymous data by select- 



ing data privacy preferences. These preferences are en- 
forced by the data management system interface 109, 
and are provided by the client using the loyalty card 1 38, 
smart card 1 36, Internet 1 36, or other communication/ 

5 data storage method. In one embodiment, an intelligent 
software agent performs data mining functions to exam- 
ine customer patterns and to make data privacy param- 
eter suggestions based on the mining results. 
[0085] In another embodiment, the separate trusted 

io database 704 and anonymized database 708 are used 
in a multi level security privacy system, where the en- 
cryption, macros, dataviews, and/ or separate database 
techniques disclosed herein combined to meet the pri- 
vacy requirements of different jurisdictions, for different 

is retail outlets, or to accommodate different individual 
preferences. 

[0086] FIG. 8 is a diagram showing another alterna- 
tive embodiment of the privacy data warehouse. As with 
the other embodiments previously described, access to 

20 the data in the database management system 104 is 
again accomplished via a dataview in the dataview suite 
108, or a macro in the macro suite 111. In this embodi- 
ment, a privacy metadata services interface 802 com- 
prising the privacy service 150, the client interface mod- 

25 ule 122, metadata monitoring extensions 114, and the 
audit Interface 118 is also interposed between ail ac- 
cesses to the database management system 104. The 
privacy metadata services interface 802 can therefore 
log and control all access to the database management 

30 system 104, the dataviews in the dataview suite 108, 
and macros in the macro suite 111. 
[0087] FIG. 9 is a diagram showing an exemplary im- 
plementation of dataviews with an interposed privacy 
metadata services interface. Visibility and access to the 

35 data in the customer base tables in the database man- 
agement system 1 04 is provided by dataviews and mac- 
ros 11 1 . The views into the data are represented by the 
concentric squares shown in FIG. 9. A consumer access 
macro or consumer view provides the user/consumer 

40 with access to a single row of the customer database 
table containing data about that consumer or data sub- 
ject. A system assistant 902 supports the definition and 
maintenance of the database infrastructure, while a pri- 
vacy assistant 904 supports the definition and mainte- 

45 nance of the tables, dataviews, macros, user profiles, 
logs, and audit reports. As before, routine applications 
11 OA have access to the customer base tables via a 
standard view 260, analytic applications 1 1 0C have ac- 
cess via an anonymized view in which data that renders 

so the customer identifiable is masked, action (marketing) 
applications 110D have access via an opt-out view in 
which entire rows of customer data are omitted, and 
third party disclosure applications 11 2 are provided with 
a dataview which presents only customers who have 

55 opted-in, but does not allow access to identifying data. 
The opt-out/anonymizing dataview can be a separately 
implemented dataview, or can be implemented applying 
both the opt-out and anonymizing dataviews. 
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Claims 

1. A data warehousing, management, and privacy 
control system, chacterized by: 

a data storage device, storing a database table 
comprising a plurality of data columns and at 
least one data control column, the data control 
column for storing data control information re- 
flecting consumer privacy parameters; 
wherein the database table comprises an iden- 
tity segment for storing identity information and 
a personal information segment for storing per- 
sonal information; and 

a processor, operatively coupled to the data 
storage device, the processor implementing a 
dataview suite for presenting data retrieved 
from the database table in accordance with the 
data control information. 

2. The apparatus of claim 1, wherein the dataview 
suite comprises a anonymizing view masking iden- 
tity information. 

3. The apparatus of claim 1, wherein the dataview 
suite comprises a privileged view permitting access 
to all data in the data base table. 

4. The apparatus of claim 3, wherein the privileged 
view further permits alteration of data in the data 
control columns. 

5. The apparatus of claim 1, wherein the database 
view suite comprises a view masking personal in- 
formation. 

6. The apparatus of claim 1 , further comprising a cus- 
tomer interface module providing access to the da- 
tabase table via the privileged view and to permit 
specification of the consumer privacy parameters. 

7. The apparatus of claim 6, wherein the communica- 
tions through the customer and the client interface 
module are implemented through a privacy data 
card. 

8. The apparatus of claim 1 , further comprising an au- 
dit interface module for logging all accesses to the 
database table. 

9. The apparatus of claim 1 , wherein the audit inter- 
face module logs all access to dataviews in the da- 
taview suite. 

10. The apparatus of claim 1 , wherein the database ta- 
ble comprises a plurality of data columns for storing 
personal data and a data control column for each 
data column storing personal data. 



11. A method of retrieving data in a database imple- 
menting privacy control, characterized by the steps 
of: 

5 extending a database table comprising a plu- 

rality of data columns to include at least one da- 
ta control column for storing data control infor- 
mation reflecting at least one consumer privacy 
parameter; 

10 storing identity information about the cons umer 

in an identity segment of the database table and 
personal information about the consumer in a 
personal information segment of the database 
table; 

is receiving a data request from a requesting en- 

tity having data privileges; and 
providing the data to the requesting entity via a 
dataview selected in accordance with the re- 
questing entity's data privileges, the dataview 

20 masking the data in accordance with the con- 

sumer privacy parameter. 

12. The method of claim 11 , wherein the step of provid- 
ing the data to the requesting entity via a dataview 

25 comprises the steps of: 

providing a dataview to the requesting entity in 
accordance with the requesting entity's data 
privileges; 

30 retrieving the data according to the dataview 

provided to the requesting entity by translating 
the data request into an database query that 
selectively pulls columns and rows directly from 
a base table into a result table; and 

35 providing the result table to the requesting en- 

tity. 

1 3. The method of claim 11 , wherein the dataview is an 
anonymizing view masking identity information. 

40 

14. The method of claim 11 , wherein the dataview is a 
view masking personal information. 

15. The method of claim 11, wherein the dataview is a 
45 privileged view permitting access to all data in the 

database table. 

1 6. The method of claim 1 1 , wherein the dataview is es- 
tablished using unextended database table names. 

so 

17. A program storage device, readable by a computer, 
embodying one or more instructions executable by 
the computer to perform method steps for retrieving 
data in a database implementing privacy control, 

55 the method steps characterized by the steps of: 

extending a database table comprising a plu- 
rality of data columns to include at least one da- 
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ta control column for storing data control infor- 
mation reflecting at least one consumer privacy 
parameter; 

storing identity information about the consumer 
in an identity segment of the database table and s 
personal information about the consumer in a 
personal information segment of the database 
table; 

receiving a data request from a requesting en- 
tity having data privileges; and 10 
providing the data to the requesting entity via a 
dataview selected in accordance with the re- 
questing entity's data privileges, the dataview 
masking the data in accordance with the con- 
sumer privacy parameter. is 

18. The program storage device of claim 17, wherein 
the method step of providing the data to the request- 
ing entity via a dataview comprises the method 
steps of: 20 

providing a dataview to the requesting entity in 
accordance with the requesting entity's data 
privileges; 

retrieving the data according to the dataview 25 

provided to the requesting entity by translating 

the data request into an database query that 

selectively pulls columns and rows directly from 

a base table into a result table; and 

providing the result table to the requesting en- 30 

tity. 

19. The program storage device of claim 17, wherein 
the dataview is an anonymizing view masking iden- 
tity information. 35 

20. The program storage device of claim 17, wherein 
the dataview is a view masking personal informa- 
tion. 

40 

21. The program storage device of claim 17, wherein 
the dataview is a privileged view permitting access 
to all data in the database table. 

22. The program storage device of claim 17, wherein 45 
the dataview is established using unextended data- 
base table names. 
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